Note the User-Agent: Zollard and the reference to the files that will attempt to be to be executed upon successful compromise. The files indicate several architectures, arm, ppc, mips, mipsel, and x86.

All files were fetched, and the x86 file was sandboxed on a linux VM. Immediately the VM began incrementally scanning 117.201.0.0/18 for open destination port 58455. The linux malware also opened up a listener on my VM's port 58455.

Compromised host listening on port 58455

Upon finding a remote host listening on that port, the local host would initially send 0x00020015 and would receive one of several replies including, 0x010005, 0x01010006, or 0x01020006

Depending on the reply, the scanning host would then attempt a Telnet connection to the remote host that it had previously connected to on port 58445. Examining strings of the malware files show several usernames that are attempted, including "root" and "admin"
Weak or non-existent passwords allow for a successful telnet login, with examples below:

Example of Telnet session to a BusyBox device

Example of Telnet session to ARM architecture device

As mentioned earlier, the malware files for the x86, arm, mips, mipsel, and ppc architectures were fetched. You may find it of interest to see a strings dump of each of the files:

So who is "Zollard"? What is the relationship between the scanned targets and the original scanner?

There is a good deal more research to be done on this malware, as well as the hosting infrastructure supporting these exploit attempts. At this point, we believe that the malware hosting location is a compromised host, and is not part of this campaign.

We recommend the blocking of IP address 78.39.232.113 and ensuring that all Internet facing devices, yes "devices" are strongly secured.